Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

The DoD Invites Hackers to Test Enterprise System Security Used for Global Operations.

HackerOne, the leading hacker-powered security platform, today announced the fifth U.S. Department of Defense bug bounty program. The program opened registration on April 1, 2018, scheduled to conclude on April 29, 2018, and will focus on a Department of Defense (DoD) enterprise system relied on by millions of employees for global operations.

“Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”

“The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at Defense Manpower Data Center. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”

To be eligible to participate in the bug bounty challenge, individuals from the public must be United States taxpayers or a citizen of or eligible to work in the United Kingdom, Canada, Australia, or New Zealand. U.S. government active military members and contractor personnel are also eligible to participate but not eligible for financial rewards. See full eligibility requirements and register here.

“Millions of government employees and contractors use and rely upon key enterprise systems every day,” said Reina Staley, Chief of Staff at Defense Digital Service. “Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”

Since the Hack the Pentagon program kicked off in 2016, over 3,000 vulnerabilities have been resolved in government systems. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions. The second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers. Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000, and Hack the Pentagon in May 2016 resulted in 138 valid vulnerabilities resolved and tens of thousands paid to ethical hackers for their efforts. Hack the Air Force 2.0 demonstrates continued momentum of the Hack the Pentagon program beyond just its first year, as well as a hardened attack surface.

“The most security mature organizations look to others for help,” said Alex Rice, co-founder and CTO at HackerOne. “The Department of Defense continues to innovate with each bug bounty challenge, and the latest challenge is no exception. We’re excited to bring a fresh, mission-critical asset to the hacker community with the goal of protecting the sensitive government data it contains.”